Is OpenClaw Safe? Inside the Massive AI Agent Security Crisis

Background and Scale of the Issue

OpenClaw quickly became a global sensation with more than 300,000 GitHub stars, but a security audit revealed 512 vulnerabilities (8 classified as critical). Over 20% of the plugins in its third‑party Skill market are malicious, and more than 135,000 instances are exposed to the public internet.

Why OpenClaw Is Powerful and Dangerous

OpenClaw runs as a local process using the logged‑in user’s privileges. It can execute shell commands, read/write files, and control the browser, giving it the same capabilities as a human operator on the machine.

Four Main Threat Vectors

Malicious Skills – The ClawHub skill registry allows anyone to publish a Skill. A scan of 3,984 Skills found 36% with detectable prompt‑injection issues and 1,467 confirmed malicious Skills. An organized supply‑chain attack named ClawHavoc injected over 1,184 malicious Skills using three techniques: prompt injection, hidden reverse shells, and credential theft.

Prompt Injection – OpenClaw cannot distinguish ordinary data from commands when reading emails, web pages, or chat messages. Crafted text can trigger unwanted actions, such as sending SSH keys to an attacker’s server.

WebSocket Local Hijacking (ClawJacked) – By default OpenClaw listens on port 18789 on all interfaces (0.0.0.0). A malicious webpage can open a WebSocket to this port, brute‑force passwords without rate limits, and add itself to OpenClaw’s trusted list, gaining persistent control.

Over‑Privileged Execution – OpenClaw runs with full user privileges and no sandbox. Misinterpreted commands (e.g., “clean desktop”) can delete years of work, and “reset development environment” may wipe far more than intended.

Potential Impact

Successful attacks allow adversaries to install software, delete files, steal all API keys, wallet private keys, and SSH credentials. Destructive commands such as rm -rf remove data permanently, bypassing any recycle bin.

Mitigation Recommendations

Update to versions released after 2026‑02‑25, which fix the ClawJacked vulnerability.

Never install Skills from untrusted sources; review the source code before adding them.

Bind the backend to 127.0.0.1 instead of the default 0.0.0.0:18789 to avoid public exposure.

Run OpenClaw under a low‑privilege dedicated account, e.g., ~/openclaw-workspace, rather than your main user account.

Enable confirmation prompts for high‑risk operations such as rm or bulk deletions.

Regularly back up important data; backups are the last line of defense against accidental or malicious loss.

Applying these measures can significantly reduce the attack surface, but the inherent risks of granting an AI agent full system access remain substantial.